OpenBSD2.9 ssh to OpenBSD3.0 sshd - Secure connection to <ipaddress> refused.

From: fsh (fsh@sdnet.org)
Date: 02/15/02

• Next message: Russell Kent: "Re: OpenSSH for Windows - worm alert (or maybe not)?"
• Previous message: Richard E. Silverman: "Re: FTP over SSH with f-secure help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "fsh" <fsh@sdnet.org>
Date: Fri, 15 Feb 2002 12:32:26 -0600

Issue: Secure connection to <IPaddr> refused.
Impact: Unable to establish a secure connection to the OpenBSD3.0 sshd box
from any other machines (ssh client on OpenBSD 2.9, ssh client using putty
on windows).

Info:
I have the default install of sshd on my OpenBSD 2.9 machine working fine.
My OpenBSD3.0 box is installed i386 on a 486DX/3com net cards. Network is
verified working. I ran tcpdump during a session from a OpenBSD2.9 (ns1) ssh
client to OpenBSD3.0 (stratum) sshd and could see this traffic
tcpdump: listening on le0
11:56:10.888667 ns1.domain.org.40464 > stratum.domain.org.ssh: S
2656381983:2656381983(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 563725234 0> (DF)
11:56:10.889456 stratum.domain.org.ssh > ns1.domain.org.40464: R 0:0(0) ack
2656381984 win 0 (DF)
11:56:11.904466 ns1.domain.org.12388 > stratum.domain.org.ssh: S
3223265492:3223265492(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 563725236 0> (DF)
11:56:11.905158 stratum.domain.org.ssh > ns1.domain.org.12388: R 0:0(0) ack
3223265493 win 0 (DF)
11:56:12.914556 ns1.domain.org.21682 > stratum.domain.org.ssh: S
3017043627:3017043627(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 563725238 0> (DF)
11:56:12.915254 stratum.domain.org.ssh > ns1.domain.org.21682: R 0:0(0) ack
3017043628 win 0 (DF)
11:56:13.924471 ns1.domain.org.24699 > stratum.domain.org.ssh: S
2162454193:2162454193(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 563725240 0> (DF)
11:56:13.925164 stratum.domain.org.ssh > ns1.domain.org.24699: R 0:0(0) ack
2162454194 win 0 (DF)

It appears to be hitting the server ok and I'm getting a reply back - which
means at least the client is communicating with the ssh daemon.

I ran on the 3.0 box sshd in debug mode (-ddd) and it went to listening -
This looks exactly the same on the 2.9 box.
# sshd -ddd
debug1: sshd version OpenSSH_3.0
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.

When I would try to make a connection from a remote client the debug would
not show anything. I then tried a ssh client on the OpenBSD 3.0 box and
connected to sshd on that same box and it worked fine. I also enabled
telnet(23) on the openbsd 3.0 box and it works fine from a remote machine,
indicating that this is narrowed down to a sshd (3.0) or ssh configuration
or incompatiblity(no likely) issue. I suspect I have something setup wrong
(Everything on the OpenBSD2.9 and 3.0 box is default install - no new
software has been configured or added).

Resolution: ? (Please help) Any ideas are welcome.

Thanks,

Mike

 ssh_config (client) is optioned out "#" on both machines.

# OpenBSD 3.0 $OpenBSD: sshd_config,v 1.42 2001/09/20 20:57:51 mouring
Exp $
Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh_host_rsa_key
HostKey /etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
# ChallengeResponseAuthentication no
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver

# OpenBSD 2.9 $OpenBSD: sshd_config,v 1.42 2001/09/20 20:57:51 mouring
Exp $ (not a problem)
Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh_host_key
HostKey /etc/ssh_host_rsa_key
HostKey /etc/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
#CheckMail yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
Subsystem sftp /usr/libexec/sftp-server

---

• Next message: Russell Kent: "Re: OpenSSH for Windows - worm alert (or maybe not)?"
• Previous message: Richard E. Silverman: "Re: FTP over SSH with f-secure help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages sshd login problems on mandrake ... Everything is fine, iptables working fine, sshd running, client running. ... # HostKey for protocol version 1 ... # To disable tunneled clear text passwords, ... # Kerberos TGT Passing only works with the AFS kaserver ... (comp.security.ssh) Re: setting of credentials ... >> keylogin and keylogout do, and sshd doesn't do any of it. ... >first, then get kerberos or NIS+ creds. ... >kerberos/afs/dce ticket forwarding in ssh would imply that users have ... (comp.security.ssh) SSHD ... i'm having 'strange' problem with my sshd. ... # HostKeys for protocol version 2 ... # To enable empty passwords, ... # Kerberos TGT Passing does only work with the AFS kaserver ... (Debian-User) Re: ssh configuration problem ... Run sshd with debug option, ... mc> Protocol 2 ... mc> # To disable tunneled clear text passwords, ... mc> # Kerberos TGT Passing only works with the AFS kaserver ... (SSH) Paramiko, termios - interactive shell connection. ... I am coding a small SSH client, I ve got some issues with creating pseudo terminal on server side, or at least I suppose that's the problem. ... sshd: pgega [priv] ... (comp.lang.python)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2002-02